Replacing SSL certificates on Windows server running GW18 WebAccess.

  • 7022859
  • 17-Apr-2018
  • 05-Feb-2020

Environment

GroupWise 18

Situation

When you install WebAccess from GW18 software on Windows server, it is pre-configured with self-signed certificates which does not fit your requirement and you want to replace with your existing official certificates.

Resolution

There are two ways how to secure shipped tomcat-apache combo:

1. Securing java portion (using a keytool java based tool and .keystore certificate file).
2. Securing apache (web) portion (using openssl tool).

Please note that since those are two different tools/approaches, certificates which were generated for apache web servers cannot by used for securing tomcat just by simple replacing them.

Shipped tomcat-apache configuration uses the first option with a default self-signed certificate for a localhost.
A key file for desired configuration change is the "server.xml" located in C:\Novell\GroupWise\Tomcat\conf directory.
Using any text editor, you can find SSL configuration sections which you can enable or disable.
Alike said, by default a java/tomcat approach with the ".keystore" file located in C:\Novell\GroupWise\Tomcat\conf directory.
If you now want to switch from securing java portion into securing apache part, open the server.xml file by a text editor and search for

 <Certificate certificateKeystoreFile="conf/.keystore"

Then comment this section out by using starting tag <!--  and ending -->.  This shall look like example bellow:

<!--
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/.keystore"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
-->

Right below this tomcat/java secure section there is disabled traditional web server configuration section which you can enable by removing "<!--" and "-->" tags. In this statement, specify further your corporate key and certificate file names, example bellow:

    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/<corp_private_key>.key"
                                certificateFile="conf/<corporate_ssl_certificate>.cer"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>


In this example a corporate private key and a certificate file were copied into the C:\Novell\GroupWise\Tomcat\conf directory. 

Note: If the private key has a passphrase this will NOT work. You will get SSL_protocol_error when trying to hit the WebAccess URL. A new private key without a passphrase will have to created from the existing private key. The easiest way to do this is put a copy of the private key on a linux server and run this openssl command against it:

openssl rsa -in corp_private.key -out nopassword.key

This command will prompt for the passphrase and output a new key without a passphrase. Take the new private key without a passphrase and put it in c:\Novell\GroupWise\Tomcat\conf directoy. Then open and edit the server.xml file in the conf directory and point to the new nopassphrase.key.

Once this is done, save changes and restart Apache Tomcat 8.5 Tomcat 8 service.

If such certificate switch between java and apache approach does not work for you (there are complains over certificates in catalina log file once you start tomcat-apache service ), then other way to try is import existing corporate certificates into the java`s ".keysore" file. Example bellow:

keytool -import -keyalg RSA -keystore <path to .keystore file> -trustcacerts -file <path to official corp cert file>

Naturally you would need to switch back from web/apache approach into tomcat/java security in the server.xml file.
After those steps, you can restart Apache Tomcat 8.5 Tomcat 8 service to start using java/tomcat approach.

If nothing of above helps to get existing certificates for web working with this tomcat-apache combo, you will need to generate new CSR file and get certificates signed for your Windows server by the CA Authority where you purchased certificates before. Use preferably the "keytool" java utility to generate new CSR file and send it to the CA Authority asking to get certificates for securing java/tomcat.
Following is the command to generate new keystore and CSR files:

keytool -certreq -keyalg RSA -alias tomcat -file <certreq>.csr -keystore <path to new .keystore file>